Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

MTU SETTING

Posted on 2006-11-20
5
Medium Priority
?
952 Views
Last Modified: 2013-11-16
Right now our MTU on the pix is 1500 on inside and outside.

The cisco vpn client sets up at 1300 by default.

What will it effect by changing it from 1500 to 1300 to match the vpn client default?

We use sbs echange and remote web workplace internally.

I figured its easier to change it on the pix itself, rather than re-writing the install client to match the 1500 setting on the pix. I am about to be rolling out a lot of these vpn clients so i wanted to make it as smooth as possible. Please let me know what's best and what will be effected by the change being made at the firewall. Thanks in advance.
0
Comment
Question by:jaysonfranklin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 800 total points
ID: 17982851
I would highly recommend leaving the PIX interface at the default and letting the VPN client software change the client end. The clients will typically be connecting from almost anywhere. It's the network endpoint closest to the user that can affect the MTU.
I have never seen any valid reason to change the firewall's MTU with the lone exception of DSL/PPPoE connections where the PIX itself is the PPPoE client and the MTU gets adjusted to 1492 to account for the extra 8-byte PPPoE overhead.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 17982895
So, do you think leaving the vpn clients setting at 1300 while the pix outside int is at 1500 isnt a big deal?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17983027
I do not think it is a big deal. I think it is the right thing to do.
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 400 total points
ID: 17983391
Leave both MTUs alone.  If there ever becomes a case where an intermediary MTU is low enough to cause fragmentation, then there's something called PMTU Discovery that will help you out.
PMTU Discovery is a process by which a client negotiates optimum MTU with a server by means of ICMP messages.
Fortunately for us, it's built into all modern TCP/IP stacks (PIX, VPN Client and DSL networks included!), so there's really no need to muck around with MTUs anymore.  It was a bit different 10 years ago with dial-up connections, and paranoid sec admins who disabled ICMP.  But these days, one would hope things are different.  Apart from the last bit.  I still come across the odd setup where an admin has incorrectly disabled all ICMP at his/her perimeter.  It's not called 'Internet Control' MP for nothing!  :)

0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 400 total points
ID: 17984886
Agree with others on leave it alone unless there is other reasons. Now if you are thinking about changing it because your VPN Client has 1300 and PIX at 1500.

You have to imagine the connection. Say a normal packet will be 1500 odd but when you have ipsec vpn into it, you're adding more fields in it and the packet gets a little bigger, so in order to avoid fragmentation it is better to have it as 1300 (which even I find it very optimal to work while I'm in India and the pix is in US especially with voip clients).

As well, the connection type of the vpn client needs to take this into consideration. I'm sure it will be lower than the pix site ?

Cheers,
Rajesh
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question